From: Will Deacon <will@kernel.org>
To: Peter Collingbourne <pcc@google.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>,
Linux ARM <linux-arm-kernel@lists.infradead.org>,
Daniel Kiss <daniel.kiss@arm.com>
Subject: Re: [PATCH 2/2] arm64: Configure kernel's PTR_AUTH key when it is built with PTR_AUTH.
Date: Wed, 9 Dec 2020 10:51:03 +0000 [thread overview]
Message-ID: <20201209105103.GA7273@willie-the-truck> (raw)
In-Reply-To: <CAMn1gO4LMkaV_wkE4MGo3UVhY+A+O3b5Y_0FkWudda3fbeAzhg@mail.gmail.com>
On Tue, Dec 08, 2020 at 11:33:33AM -0800, Peter Collingbourne wrote:
> On Tue, Dec 8, 2020 at 3:00 AM Catalin Marinas <catalin.marinas@arm.com> wrote:
> >
> > On Mon, Dec 07, 2020 at 03:07:07PM -0800, Peter Collingbourne wrote:
> > > On Mon, Dec 7, 2020 at 2:46 PM Daniel Kiss <daniel.kiss@arm.com> wrote:
> > > > If the kernel is not compiled with CONFIG_ARM64_PTR_AUTH_KERNEL,
> > > > then the kernel does not need a key and kernel's key could be disabled.
> > > >
> > > > Signed-off-by: Daniel Kiss <daniel.kiss@arm.com>
> > > > ---
> > > > arch/arm64/include/asm/asm_pointer_auth.h | 68 ++++++++++++++++-------
> > > > arch/arm64/include/asm/processor.h | 2 +
> > > > arch/arm64/kernel/asm-offsets.c | 4 ++
> > > > 3 files changed, 55 insertions(+), 19 deletions(-)
> > > >
> > > > diff --git a/arch/arm64/include/asm/asm_pointer_auth.h b/arch/arm64/include/asm/asm_pointer_auth.h
> > > > index 52dead2a8640..af3d16027e8f 100644
> > > > --- a/arch/arm64/include/asm/asm_pointer_auth.h
> > > > +++ b/arch/arm64/include/asm/asm_pointer_auth.h
> > > > @@ -14,6 +14,12 @@
> > > > * thread.keys_user.ap*.
> > > > */
> > > > .macro ptrauth_keys_install_user tsk, tmp1, tmp2, tmp3
> > > > +#ifndef CONFIG_ARM64_PTR_AUTH_KERNEL
> > > > + /* Reenable A key */
> > > > + mrs \tmp1, sctlr_el1
> > > > + orr \tmp1, \tmp1, SCTLR_ELx_ENIA
> > > > + msr sctlr_el1, \tmp1
> > > > +#endif
> > >
> > > We should avoid an unconditional MSR on exit like this as it is
> > > expensive (for my PR_PAC_SET_ENABLED_KEYS series I measured the cost
> > > of entry/exit MSR as 43.7ns on Cortex-A75 and 33.0ns on Apple M1). In
> > > that series I take care not to touch SCTLR_EL1 unless necessary.
> > > Likewise for the MSRs on entry below.
> >
> > I think that's how Daniel attempted the first (internal) version of
> > these patches. In theory you don't need to touch SCTLR_ELx_EN* at all as
> > long as the kernel does not use any PAC instructions. However, I was
> > a bit concerned about this and thought it's safer if, when
> > !CONFIG_ARM64_PTR_AUTH_KERNEL, the EnIA bit is cleared while in the
> > kernel.
> >
> > If we can guarantee that the compiler does not generate any PAC
> > instructions (it may assume they are no-ops) and vendor modules don't
> > have such instructions either, we may be able to relax this.
>
> The way I see it it isn't too different from the current prohibition
> on using IB in the kernel (and to a lesser extent DA/DB/GA since those
> can't be accessed from nop-space as far as I'm aware), or NEON
> instructions in most parts of the kernel, or the stack protector
> cookie when building with -fno-stack-protector etc. i.e. if you do
> that then you're breaking the ABI.
>
> Is your concern that distributions may default to enabling
> -mbranch-protection which would result in the PAC instructions being
> used? To address that I think it is reasonable to expect the compiler
> not to use PAC instructions when passing -mbranch-protection=none, and
> if the compiler does so then that is a bug in the compiler.
I'm inclined to agree. At the very least, I think we should start from a
position where we assume the compiler doesn't randomly emit these
instructions, and then we can revisit that decision in future if it turns
out to be wrong.
Will
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2020-12-09 10:52 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-07 22:46 arm64: split ARM64_PTR_AUTH option to userspace and kernel configs Daniel Kiss
2020-12-07 22:46 ` [PATCH 1/2] arm64: Add ARM64_PTR_AUTH_KERNEL config option Daniel Kiss
2020-12-07 22:46 ` [PATCH 2/2] arm64: Configure kernel's PTR_AUTH key when it is built with PTR_AUTH Daniel Kiss
2020-12-07 23:07 ` Peter Collingbourne
2020-12-08 11:00 ` Catalin Marinas
2020-12-08 19:33 ` Peter Collingbourne
2020-12-09 10:51 ` Will Deacon [this message]
2020-12-09 11:56 ` Daniel Kiss
2020-12-18 11:56 ` arm64: split ARM64_PTR_AUTH option to userspace and kernel Daniel Kiss
2020-12-18 11:56 ` [PATCH v2 1/2] arm64: Add ARM64_PTR_AUTH_KERNEL config option Daniel Kiss
2021-01-26 13:27 ` Will Deacon
2021-02-08 14:39 ` Daniel Kiss
2020-12-18 11:56 ` [PATCH v2 2/2] arm64: Do not configure kernel's PTR_AUTH key when it not needed Daniel Kiss
2021-01-26 13:32 ` Will Deacon
2021-01-26 13:17 ` arm64: split ARM64_PTR_AUTH option to userspace and kernel Will Deacon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201209105103.GA7273@willie-the-truck \
--to=will@kernel.org \
--cc=catalin.marinas@arm.com \
--cc=daniel.kiss@arm.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=pcc@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).